PIN Skimmer Uses Mobile Cameras and Microphones to Infer Passcodes

The appropriately named “PIN Skimmer” software runs on the mobile device and simply records the sounds of the keystrokes when a user enters a PIN

The appropriately named “PIN Skimmer” software runs on the mobile device and simply records the sounds of the keystrokes when a user enters a PIN; it also estimates the phone’s orientation and watches facial expressions of the user while the PIN is being entered to guess which part of the screen is touched. Using these contextual clues, the software can infer a four-digit PIN code with relatively decent accuracy: more than 50% of the time after just five attempts on a Samsung Galaxy S3, for instance.

“By recording audio during PIN input, we can detect touch events,” said Ross Anderson and Laurent Simon, in their paper. “By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.”

To get the app on the device is a matter of using normal infection routes, such as masquerading as a non-malicious app in an app store; tricking users into installing it via social engineering techniques; using drive-by downloads or QR codes; or exploiting a vulnerability in Android to gain root access on the device. “We later discovered that, with some ingenuity, the attack can be performed by any app with camera and microphone permission,” the two noted.

Once the trojan has inferred the PIN used to unlock, say, a banking app running in the trusted OS, the attackers need to cash out.

“We imagine that real miscreants would advertise the PINs of phones they have compromised in underground forums along with the location of the devices,” the researchers noted. “Remember that the trojan has root access in Android so has access to the GPS at will.”

Smartphone thieves could also optimize physical theft by selectively tracking potential victims for whom the banking app's PIN is advertised in an underground forum.

"We hope to raise awareness of the diculty of designing a sound trusted path in general," the researchers noted. "Designers must be aware of covert channel risks and engineer the overall system accordingly. On smart OSes like Android, reasoning about the security of a trusted path becomes more complex as new features and services are added over time."